Scan image #6454
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Scan image | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
schedule: | |
# Every Thursday at 7:29 PM | |
- cron: 29 19 * * 4 | |
workflow_dispatch: | |
jobs: | |
trivy-edge: | |
name: ${{ matrix.image }} | |
runs-on: ubuntu-20.04 | |
env: | |
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 | |
continue-on-error: true | |
strategy: | |
fail-fast: false | |
matrix: | |
# TODO: Get this list programmatically | |
image: | |
- 'openchallenges-apex' | |
- 'openchallenges-api-gateway' | |
- 'openchallenges-challenge-service' | |
- 'openchallenges-zipkin' | |
steps: | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Pull the image | |
run: | | |
docker pull ghcr.io/sage-bionetworks/${{ matrix.image }}:edge | |
# Deliberately chosen master here to keep up-to-date. | |
- name: Run Trivy vulnerability scanner for any major issues | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ghcr.io/sage-bionetworks/${{ matrix.image }}:edge | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
limit-severities-for-sarif: true | |
format: template | |
template: '@/contrib/sarif.tpl' | |
output: trivy-results-${{ matrix.image }}-edge.sarif | |
# Show all detected issues. | |
# Note this will show a lot more, including major un-fixed ones. | |
- name: Run Trivy vulnerability scanner for local output | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ghcr.io/sage-bionetworks/${{ matrix.image }}:edge | |
format: table | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: trivy-results-${{ matrix.image }}-edge.sarif | |
category: trivy-image-${{ matrix.image }}:edge | |
wait-for-processing: true | |
- name: Detain results for debug if needed | |
uses: actions/upload-artifact@v3 | |
with: | |
name: trivy-results-${{ matrix.image }}-edge.sarif | |
path: trivy-results-${{ matrix.image }}-edge.sarif | |
if-no-files-found: error |